AzureAD/Create-AadAppsForNav.ps1
<#
.Synopsis Create Apps in Azure Active Directory to allow Single Signon when using AAD .Description This function will create an app in AAD, to allow Web and Windows Client to use AAD for authentication Optionally the function can also create apps for the Excel AddIn and/or PowerBI integration .Parameter AadAdminCredential Credentials for your AAD/Office 365 administrator user, who can create apps in the AAD .Parameter appIdUri Unique Uri to identify the AAD App (typically we use the URL for the Web Client) .Parameter publicWebBaseUrl URL for the Web Client (defaults to the value of appIdUri) .Parameter iconPath Path of the image you want to use for the SSO App .Parameter IncludeExcelAadApp Add this switch to request the function to also create an AAD app for the Excel AddIn .Parameter IncludePowerBiAadApp Add this switch to request the function to also create an AAD app for the PowerBI service .Parameter IncludeEMailAadApp Add this switch to request the function to also create an AAD app for the EMail service .Parameter IncludeApiAccess Add this switch to add application permissions for Web Services API and automation API .Parameter Singletenant Indicates whether this application is singletenant .Parameter PreAuthorizePowerShell Indicates whether the well known PowerShell AppID (1950a258-227b-4e31-a9cf-717495945fc2) should be pre-authorized for access .Parameter useCurrentAzureAdConnection Specify this switch to use the current Azure AD Connection instead of invoking Connect-AzureAD (which will pop up a UI) .Example Create-AadAppsForNAV -AadAdminCredential (Get-Credential) -appIdUri https://mycontainer.mydomain/bc/ #> function Create-AadAppsForNav { Param ( [Parameter(Mandatory=$false)] [PSCredential] $AadAdminCredential, [Parameter(Mandatory=$true)] [string] $appIdUri, [Parameter(Mandatory=$false)] [string] $publicWebBaseUrl = $appIdUri, [Parameter(Mandatory=$false)] [string] $iconPath, [switch] $IncludeExcelAadApp, [switch] $IncludePowerBiAadApp, [switch] $IncludeEmailAadApp, [switch] $IncludeApiAccess, [switch] $SingleTenant, [switch] $preAuthorizePowerShell, [switch] $useCurrentAzureAdConnection, [Hashtable] $bcAuthContext ) $telemetryScope = InitTelemetryScope -name $MyInvocation.InvocationName -parameterValues $PSBoundParameters -includeParameters @() try { Write-Host -ForegroundColor Red 'Create-AadAppsForBC is deprecated, please use New-AadAppsForBc instead' Write-Host -ForegroundColor Red 'Create-AadAppsForBC is using AzureAD to create AAD Apps (which is deprecated)' Write-Host -ForegroundColor Red 'New-AadAppsForBC is using Microsoft.Graph to create AAD Apps' $publicWebBaseUrl = "$($publicWebBaseUrl.TrimEnd('/'))/" if (!(Get-PackageProvider -Name NuGet -ListAvailable -ErrorAction Ignore)) { Write-Host "Installing NuGet Package Provider" Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force -WarningAction Ignore | Out-Null } if (!(Get-Package -Name AzureAD -ErrorAction Ignore)) { Write-Host "Installing AzureAD PowerShell package" Install-Package AzureAD -Force -WarningAction Ignore | Out-Null } # Connect to AzureAD if ($useCurrentAzureAdConnection) { $account = Get-AzureADCurrentSessionInfo } elseif ($bcAuthContext) { $bcAuthContext = Renew-BcAuthContext -bcAuthContext $bcAuthContext $jwtToken = Parse-JWTtoken -token $bcAuthContext.accessToken if ($jwtToken.aud -ne 'https://graph.windows.net') { Write-Host -ForegroundColor Yellow "The accesstoken was provided for $($jwtToken.aud), should have been for https://graph.windows.net" } $account = Connect-AzureAD -AadAccessToken $bcAuthContext.accessToken -AccountId $jwtToken.upn } else { if ($AadAdminCredential) { $password = [System.Runtime.InteropServices.Marshal]::PtrToStringBSTR([System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($AadAdminCredential.Password)) if ($password.Length -gt 100) { $account = Connect-AzureAD -AadAccessToken $password -AccountId $AadAdminCredential.UserName } else { $account = Connect-AzureAD -Credential $AadAdminCredential } } else { $account = Connect-AzureAD } } $AdProperties = @{} $adUserObjectId = 0 $aadDomain = $account.TenantDomain $aadTenant = $account.TenantId $AdProperties["AadTenant"] = $AadTenant if ($account.Account.Type -eq 'ServicePrincipal') { $adUser = Get-AzureADServicePrincipal -Filter "AppId eq '$($account.Account.Id)'" } else { $adUser = Get-AzureADUser -ObjectId $account.Account.Id } if (!$adUser) { throw "Could not identify Aad Tenant" } $adUserObjectId = $adUser.ObjectId # Remove "old" AD Application Get-AzureADMSApplication -All $true | Where-Object { $_.IdentifierUris -contains $appIdUri } | ForEach-Object { Remove-AzureADMSApplication -ObjectId $_.Id } $signInReplyUrls = @("$($publicWebBaseUrl.ToLowerInvariant())SignIn",$publicWebBaseUrl.ToLowerInvariant().TrimEnd('/')) $oAuthReplyUrls = @("$($publicWebBaseUrl.ToLowerInvariant())OAuthLanding.htm") if ($publicWebBaseUrl.ToLowerInvariant() -cne $publicWebBaseUrl) { $signInReplyUrls += @("$($publicWebBaseUrl)SignIn",$publicWebBaseUrl.TrimEnd('/')) $oAuthReplyUrls += @("$($publicWebBaseUrl)OAuthLanding.htm") } Write-Host "Creating AAD App for WebClient" if ($SingleTenant.IsPresent) { $signInAudience = 'AzureADMyOrg' } else { $signInAudience = 'AzureADMultipleOrgs' } $informationalUrl = @{ } if ($iconPath) { $informationalUrl += @{ "LogoUrl" = $iconPath } } $ssoAdApp = New-AzureADMSApplication ` -DisplayName "WebClient for $publicWebBaseUrl" ` -IdentifierUris $appIdUri ` -Web @{ "ImplicitGrantSettings" = @{ "EnableIdTokenIssuance" = $true }; "RedirectUris" = $signInReplyUrls } ` -SignInAudience $signInAudience ` -InformationalUrl @{ "LogoUrl" = $iconPath } ` -RequiredResourceAccess @( @{ ResourceAppId = "00000003-0000-0000-c000-000000000000"; ResourceAccess = @( # Microsoft Graph [PSCustomObject]@{ "Id" = "e1fe6dd8-ba31-4d61-89e7-88639da4683d"; "Type" = "Scope" } # User.Read [PSCustomObject]@{ "Id" = "9769c687-087d-48ac-9cb3-c37dde652038"; "Type" = "Scope" } # EWS.AccessAsUser.All [PSCustomObject]@{ "Id" = "5fa075e9-b951-4165-947b-c63396ff0a37"; "Type" = "Scope" } # PrinterShare.ReadBasic.All [PSCustomObject]@{ "Id" = "21f0d9c0-9f13-48b3-94e0-b6b231c7d320"; "Type" = "Scope" } # PrintJob.Create [PSCustomObject]@{ "Id" = "6a71a747-280f-4670-9ca0-a9cbf882b274"; "Type" = "Scope" } # PrintJob.ReadBasic )} @{ ResourceAppId = "00000009-0000-0000-c000-000000000000"; ResourceAccess = # Power BI Service [PSCustomObject]@{ "Id" = "4ae1bf56-f562-4747-b7bc-2fa0874ed46f"; "Type" = "Scope" } # Report.Read.All } @{ ResourceAppId = "00000003-0000-0ff1-ce00-000000000000"; ResourceAccess = @( # SharePoint [PSCustomObject]@{ "Id" = "640ddd16-e5b7-4d71-9690-3f4022699ee7"; "Type" = "Scope" } # AllSites.Write [PSCustomObject]@{ "Id" = "2cfdc887-d7b4-4798-9b33-3d98d6b95dd2"; "Type" = "Scope" } # MyFiles.Write )} ) $admspwd = New-AzureADMSApplicationPassword -ObjectId $SsoAdApp.Id -PasswordCredential @{ "DisplayName" = "Password" } $AdProperties["SsoAdAppKeyValue"] = $admspwd.SecretText $SsoAdAppId = $ssoAdApp.AppId.ToString() $AdProperties["SsoAdAppId"] = $SsoAdAppId # Get oauth2 permission id for sso app $oauth2permissionid = [GUID]::NewGuid().ToString() $ssoAdApp.Api.Oauth2PermissionScopes.Add(@{ "Id" = $oauth2permissionid "value" = "user_impersonation" "Type" = "User" "adminConsentDisplayName" = "Access WebClient for $publicWebBaseUrl" "adminConsentDescription" = "Allow the application to access WebClient for $publicWebBaseUrl on behalf of the signed-in user." "userConsentDisplayName" = "Access WebClient for $publicWebBaseUrl" "userConsentDescription" = "Allow the application to access WebClient for $publicWebBaseUrl on your behalf." "IsEnabled" = $true }) Set-AzureADMSApplication -ObjectId $ssoAdApp.Id -Api $ssoAdApp.Api if ($IncludeApiAccess) { $appRoleId = [Guid]::NewGuid().ToString() Set-AzureADMSApplication ` -ObjectId $ssoAdApp.id ` -AppRoles @{ "Id" = $appRoleId "DisplayName" = "API.ReadWrite.All" "Description" = "Full access to web services API" "Value" = "API.ReadWrite.All" "IsEnabled" = $true "AllowedMemberTypes" = @("Application","User") } } if ($preAuthorizePowerShell) { $ssoAdApp.Api.PreAuthorizedApplications.Add(@{ "AppId" = "1950a258-227b-4e31-a9cf-717495945fc2"; "DelegatedPermissionIds" = @($oauth2permissionid) }) Set-AzureADMSApplication -ObjectId $ssoAdApp.Id -Api $ssoAdApp.Api } # API Access Aad App if ($IncludeApiAccess) { # Remove "old" Api AAD Application $ApiIdentifierUri = $appIdUri.Replace('://','://api.') Get-AzureADMSApplication -All $true | Where-Object { $_.IdentifierUris -contains $ApiIdentifierUri } | ForEach-Object { Remove-AzureADMSApplication -ObjectId $_.Id } # Create AD Application Write-Host "Creating AAD App for API Access" $apiAdApp = New-AzureADMSApplication ` -DisplayName "API Access for $publicWebBaseUrl" ` -IdentifierUris $ApiIdentifierUri ` -Web @{ "RedirectUris" = $oAuthReplyUrls } ` -SignInAudience $signInAudience ` -RequiredResourceAccess @( @{ ResourceAppId = "$SsoAdAppId"; ResourceAccess = @( # BC SSO App [PSCustomObject]@{ "Id" = "$oauth2permissionid"; "Type" = "Scope" } # OAuth2 [PSCustomObject]@{ "Id" = "$appRoleId"; "Type" = "Role" } # API.ReadWrite.All )} @{ ResourceAppId = "00000003-0000-0000-c000-000000000000"; ResourceAccess = # Microsoft Graph [PSCustomObject]@{ "Id" = "e1fe6dd8-ba31-4d61-89e7-88639da4683d"; "Type" = "Scope" } # User.Read } ) $apiAdAppId = $apiAdApp.AppId.ToString() $AdProperties["ApiAdAppId"] = $apiAdAppId $admspwd = New-AzureADMSApplicationPassword -ObjectId $apiAdApp.Id -PasswordCredential @{ "DisplayName" = "Password" } $AdProperties["ApiAdAppKeyValue"] = $admspwd.SecretText $sp = @( $null, $null ) $idx = 0 $ssoAdAppId,$apiAdAppId | % { $appId = $_ $app = Get-AzureADApplication -All $true | Where-Object { $_.AppId -eq $appId } if (!$app) { Write-Host -NoNewline "Waiting for AD App synchronization." do { Start-Sleep -Seconds 2 $app = Get-AzureADApplication -All $true | Where-Object { $_.AppId -eq $appId } } while (!$app) } $sp[$idx] = Get-AzureADServicePrincipal -All $true | Where-Object { $_.AppId -eq $appId } if (!$sp[$idx]) { $sp[$idx] = New-AzureADServicePrincipal -AppId $appId -Tags @("WindowsAzureActiveDirectoryIntegratedApp") } $idx++ } New-AzureADServiceAppRoleAssignment -ObjectId $sp[1].ObjectId -PrincipalId $sp[1].ObjectId -ResourceId $sp[0].ObjectId -Id $appRoleId | Out-Null } # Excel Ad App if ($IncludeExcelAadApp) { # Remove "old" Excel AD Application $ExcelIdentifierUri = $appIdUri.Replace('://','://xls.') Get-AzureADMSApplication -All $true | Where-Object { $_.IdentifierUris -contains $ExcelIdentifierUri } | ForEach-Object { Remove-AzureADMSApplication -ObjectId $_.Id } # Create AD Application Write-Host "Creating AAD App for Excel Add-in" $excelAdApp = New-AzureADMSApplication ` -DisplayName "Excel AddIn for $publicWebBaseUrl" ` -IdentifierUris $ExcelIdentifierUri ` -Web @{ "ImplicitGrantSettings" = @{ "EnableIdTokenIssuance" = $true; "EnableAccessTokenIssuance" = $true }; "RedirectUris" = ($oAuthReplyUrls+@("https://az689774.vo.msecnd.net/dynamicsofficeapp/v1.3.0.0/*")) } ` -SignInAudience $signInAudience ` -RequiredResourceAccess @( @{ ResourceAppId = "$SsoAdAppId"; ResourceAccess = # BC SSO App [PSCustomObject]@{ "Id" = "$oauth2permissionid"; "Type" = "Scope" } # Oauth2 } @{ ResourceAppId = "00000003-0000-0000-c000-000000000000"; ResourceAccess = # Microsoft Graph [PSCustomObject]@{ "Id" = "e1fe6dd8-ba31-4d61-89e7-88639da4683d"; "Type" = "Scope" } # User.Read } ) $ExcelAdAppId = $excelAdApp.AppId.ToString() $AdProperties["ExcelAdAppId"] = $ExcelAdAppId $admspwd = New-AzureADMSApplicationPassword -ObjectId $excelAdApp.Id -PasswordCredential @{ "DisplayName" = "Password" } $AdProperties["ExcelAdAppKeyValue"] = $admspwd.SecretText } # PowerBI Ad App if ($IncludePowerBiAadApp) { # Remove "old" PowerBI AD Application $PowerBiIdentifierUri = $appIdUri.Replace('://','://pbi.') Get-AzureADMSApplication -All $true | Where-Object { $_.IdentifierUris -contains $PowerBiIdentifierUri } | ForEach-Object { Remove-AzureADMSApplication -ObjectId $_.Id } # Create AD Application Write-Host "Creating AAD App for PowerBI Service" $powerBiAdApp = New-AzureADMSApplication ` -DisplayName "PowerBI Service for $publicWebBaseUrl" ` -IdentifierUris $PowerBiIdentifierUri ` -Web @{ "RedirectUris" = $oAuthReplyUrls } ` -SignInAudience $signInAudience ` -RequiredResourceAccess @( @{ ResourceAppId = "00000009-0000-0000-c000-000000000000"; ResourceAccess = # Power BI Service [PSCustomObject]@{ "Id" = "4ae1bf56-f562-4747-b7bc-2fa0874ed46f"; "Type" = "Scope" } # Report.Read.All } @{ ResourceAppId = "00000003-0000-0000-c000-000000000000"; ResourceAccess = # Microsoft Graph [PSCustomObject]@{ "Id" = "e1fe6dd8-ba31-4d61-89e7-88639da4683d"; "Type" = "Scope" } # User.Read } ) $PowerBiAdAppId = $powerBiAdApp.AppId.ToString() $AdProperties["PowerBiAdAppId"] = $PowerBiAdAppId $admspwd = New-AzureADMSApplicationPassword -ObjectId $PowerBiAdApp.Id -PasswordCredential @{ "DisplayName" = "Password" } $AdProperties["PowerBiAdAppKeyValue"] = $admspwd.SecretText } # EMail App if ($IncludeEmailAadApp) { # Remove "old" Email AD Application $EMailIdentifierUri = $appIdUri.Replace('://','://email.') Get-AzureADMSApplication -All $true | Where-Object { $_.IdentifierUris -contains $EMailIdentifierUri } | ForEach-Object { Remove-AzureADMSApplication -ObjectId $_.Id } # Create AD Application Write-Host "Creating AAD App for EMail Service" $EMailAdApp = New-AzureADMSApplication ` -DisplayName "EMail Service for $publicWebBaseUrl" ` -IdentifierUris $EMailIdentifierUri ` -Web @{ "ImplicitGrantSettings" = @{ "EnableIdTokenIssuance" = $true; "EnableAccessTokenIssuance" = $true }; "RedirectUris" = $oAuthReplyUrls } ` -SignInAudience $signInAudience ` -RequiredResourceAccess ` @{ ResourceAppId = "00000003-0000-0000-c000-000000000000"; ResourceAccess = @( # Microsoft Graph [PSCustomObject]@{ "Id" = "e1fe6dd8-ba31-4d61-89e7-88639da4683d"; "Type" = "Scope" } # User.Read [PSCustomObject]@{ "Id" = "64a6cdd6-aab1-4aaf-94b8-3cc8405e90d0"; "Type" = "Scope" } # Email [PSCustomObject]@{ "Id" = "e383f46e-2787-4529-855e-0e479a3ffac0"; "Type" = "Scope" } # Mail.ReadWrite [PSCustomObject]@{ "Id" = "024d486e-b451-40bb-833d-3e66d98c5c73"; "Type" = "Scope" } # Mail.Send )} $EMailAdAppId = $EMailAdApp.AppId.ToString() $AdProperties["EMailAdAppId"] = $EMailAdAppId $admspwd = New-AzureADMSApplicationPassword -ObjectId $EmailAdApp.Id -PasswordCredential @{ "DisplayName" = "Password" } $AdProperties["EMailAdAppKeyValue"] = $admspwd.SecretText } $AdProperties } catch { TrackException -telemetryScope $telemetryScope -errorRecord $_ throw } finally { TrackTrace -telemetryScope $telemetryScope } } Set-Alias -Name Create-AadAppsForBC -Value Create-AadAppsForNav Export-ModuleMember -Function Create-AadAppsForNav -Alias Create-AadAppsForBC # SIG # Begin signature block # MIImbAYJKoZIhvcNAQcCoIImXTCCJlkCAQExDzANBglghkgBZQMEAgEFADB5Bgor # BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG # KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCCBca0uXc3llOnX # lFWH/Dz1iUZdwEwlvE2Q2M6c8MyzF6CCH4QwggWNMIIEdaADAgECAhAOmxiO+dAt # 5+/bUOIIQBhaMA0GCSqGSIb3DQEBDAUAMGUxCzAJBgNVBAYTAlVTMRUwEwYDVQQK # EwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xJDAiBgNV # BAMTG0RpZ2lDZXJ0IEFzc3VyZWQgSUQgUm9vdCBDQTAeFw0yMjA4MDEwMDAwMDBa # Fw0zMTExMDkyMzU5NTlaMGIxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2Vy # dCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xITAfBgNVBAMTGERpZ2lD # ZXJ0IFRydXN0ZWQgUm9vdCBHNDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC # ggIBAL/mkHNo3rvkXUo8MCIwaTPswqclLskhPfKK2FnC4SmnPVirdprNrnsbhA3E # MB/zG6Q4FutWxpdtHauyefLKEdLkX9YFPFIPUh/GnhWlfr6fqVcWWVVyr2iTcMKy # unWZanMylNEQRBAu34LzB4TmdDttceItDBvuINXJIB1jKS3O7F5OyJP4IWGbNOsF # xl7sWxq868nPzaw0QF+xembud8hIqGZXV59UWI4MK7dPpzDZVu7Ke13jrclPXuU1 # 5zHL2pNe3I6PgNq2kZhAkHnDeMe2scS1ahg4AxCN2NQ3pC4FfYj1gj4QkXCrVYJB # MtfbBHMqbpEBfCFM1LyuGwN1XXhm2ToxRJozQL8I11pJpMLmqaBn3aQnvKFPObUR # WBf3JFxGj2T3wWmIdph2PVldQnaHiZdpekjw4KISG2aadMreSx7nDmOu5tTvkpI6 # nj3cAORFJYm2mkQZK37AlLTSYW3rM9nF30sEAMx9HJXDj/chsrIRt7t/8tWMcCxB # YKqxYxhElRp2Yn72gLD76GSmM9GJB+G9t+ZDpBi4pncB4Q+UDCEdslQpJYls5Q5S # UUd0viastkF13nqsX40/ybzTQRESW+UQUOsxxcpyFiIJ33xMdT9j7CFfxCBRa2+x # q4aLT8LWRV+dIPyhHsXAj6KxfgommfXkaS+YHS312amyHeUbAgMBAAGjggE6MIIB # NjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTs1+OC0nFdZEzfLmc/57qYrhwP # TzAfBgNVHSMEGDAWgBRF66Kv9JLLgjEtUYunpyGd823IDzAOBgNVHQ8BAf8EBAMC # AYYweQYIKwYBBQUHAQEEbTBrMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdp # Y2VydC5jb20wQwYIKwYBBQUHMAKGN2h0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNv # bS9EaWdpQ2VydEFzc3VyZWRJRFJvb3RDQS5jcnQwRQYDVR0fBD4wPDA6oDigNoY0 # aHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0QXNzdXJlZElEUm9vdENB # LmNybDARBgNVHSAECjAIMAYGBFUdIAAwDQYJKoZIhvcNAQEMBQADggEBAHCgv0Nc # Vec4X6CjdBs9thbX979XB72arKGHLOyFXqkauyL4hxppVCLtpIh3bb0aFPQTSnov # Lbc47/T/gLn4offyct4kvFIDyE7QKt76LVbP+fT3rDB6mouyXtTP0UNEm0Mh65Zy # oUi0mcudT6cGAxN3J0TU53/oWajwvy8LpunyNDzs9wPHh6jSTEAZNUZqaVSwuKFW # juyk1T3osdz9HNj0d1pcVIxv76FQPfx2CWiEn2/K2yCNNWAcAgPLILCsWKAOQGPF # mCLBsln1VWvPJ6tsds5vIy30fnFqI2si/xK4VC0nftg62fC2h5b9W9FcrBjDTZ9z # twGpn1eqXijiuZQwggYaMIIEAqADAgECAhBiHW0MUgGeO5B5FSCJIRwKMA0GCSqG # SIb3DQEBDAUAMFYxCzAJBgNVBAYTAkdCMRgwFgYDVQQKEw9TZWN0aWdvIExpbWl0 # ZWQxLTArBgNVBAMTJFNlY3RpZ28gUHVibGljIENvZGUgU2lnbmluZyBSb290IFI0 # NjAeFw0yMTAzMjIwMDAwMDBaFw0zNjAzMjEyMzU5NTlaMFQxCzAJBgNVBAYTAkdC # MRgwFgYDVQQKEw9TZWN0aWdvIExpbWl0ZWQxKzApBgNVBAMTIlNlY3RpZ28gUHVi # bGljIENvZGUgU2lnbmluZyBDQSBSMzYwggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAw # ggGKAoIBgQCbK51T+jU/jmAGQ2rAz/V/9shTUxjIztNsfvxYB5UXeWUzCxEeAEZG # bEN4QMgCsJLZUKhWThj/yPqy0iSZhXkZ6Pg2A2NVDgFigOMYzB2OKhdqfWGVoYW3 # haT29PSTahYkwmMv0b/83nbeECbiMXhSOtbam+/36F09fy1tsB8je/RV0mIk8XL/ # tfCK6cPuYHE215wzrK0h1SWHTxPbPuYkRdkP05ZwmRmTnAO5/arnY83jeNzhP06S # hdnRqtZlV59+8yv+KIhE5ILMqgOZYAENHNX9SJDm+qxp4VqpB3MV/h53yl41aHU5 # pledi9lCBbH9JeIkNFICiVHNkRmq4TpxtwfvjsUedyz8rNyfQJy/aOs5b4s+ac7I # H60B+Ja7TVM+EKv1WuTGwcLmoU3FpOFMbmPj8pz44MPZ1f9+YEQIQty/NQd/2yGg # W+ufflcZ/ZE9o1M7a5Jnqf2i2/uMSWymR8r2oQBMdlyh2n5HirY4jKnFH/9gRvd+ # QOfdRrJZb1sCAwEAAaOCAWQwggFgMB8GA1UdIwQYMBaAFDLrkpr/NZZILyhAQnAg # NpFcF4XmMB0GA1UdDgQWBBQPKssghyi47G9IritUpimqF6TNDDAOBgNVHQ8BAf8E # BAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBADATBgNVHSUEDDAKBggrBgEFBQcDAzAb # BgNVHSAEFDASMAYGBFUdIAAwCAYGZ4EMAQQBMEsGA1UdHwREMEIwQKA+oDyGOmh0 # dHA6Ly9jcmwuc2VjdGlnby5jb20vU2VjdGlnb1B1YmxpY0NvZGVTaWduaW5nUm9v # dFI0Ni5jcmwwewYIKwYBBQUHAQEEbzBtMEYGCCsGAQUFBzAChjpodHRwOi8vY3J0 # LnNlY3RpZ28uY29tL1NlY3RpZ29QdWJsaWNDb2RlU2lnbmluZ1Jvb3RSNDYucDdj # MCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5zZWN0aWdvLmNvbTANBgkqhkiG9w0B # AQwFAAOCAgEABv+C4XdjNm57oRUgmxP/BP6YdURhw1aVcdGRP4Wh60BAscjW4HL9 # hcpkOTz5jUug2oeunbYAowbFC2AKK+cMcXIBD0ZdOaWTsyNyBBsMLHqafvIhrCym # laS98+QpoBCyKppP0OcxYEdU0hpsaqBBIZOtBajjcw5+w/KeFvPYfLF/ldYpmlG+ # vd0xqlqd099iChnyIMvY5HexjO2AmtsbpVn0OhNcWbWDRF/3sBp6fWXhz7DcML4i # TAWS+MVXeNLj1lJziVKEoroGs9Mlizg0bUMbOalOhOfCipnx8CaLZeVme5yELg09 # Jlo8BMe80jO37PU8ejfkP9/uPak7VLwELKxAMcJszkyeiaerlphwoKx1uHRzNyE6 # bxuSKcutisqmKL5OTunAvtONEoteSiabkPVSZ2z76mKnzAfZxCl/3dq3dUNw4rg3 # sTCggkHSRqTqlLMS7gjrhTqBmzu1L90Y1KWN/Y5JKdGvspbOrTfOXyXvmPL6E52z # 1NZJ6ctuMFBQZH3pwWvqURR8AgQdULUvrxjUYbHHj95Ejza63zdrEcxWLDX6xWls # /GDnVNueKjWUH3fTv1Y8Wdho698YADR7TNx8X8z2Bev6SivBBOHY+uqiirZtg0y9 # ShQoPzmCcn63Syatatvx157YK9hlcPmVoa1oDE5/L9Uo2bC5a4CH2RwwggZZMIIE # waADAgECAhANIM3qwHRbWKHw+Zq6JhzlMA0GCSqGSIb3DQEBDAUAMFQxCzAJBgNV # BAYTAkdCMRgwFgYDVQQKEw9TZWN0aWdvIExpbWl0ZWQxKzApBgNVBAMTIlNlY3Rp # Z28gUHVibGljIENvZGUgU2lnbmluZyBDQSBSMzYwHhcNMjExMDIyMDAwMDAwWhcN # MjQxMDIxMjM1OTU5WjBdMQswCQYDVQQGEwJESzEUMBIGA1UECAwLSG92ZWRzdGFk # ZW4xGzAZBgNVBAoMEkZyZWRkeSBLcmlzdGlhbnNlbjEbMBkGA1UEAwwSRnJlZGR5 # IEtyaXN0aWFuc2VuMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAgYC5 # tlg+VRktRRkahxxaV8+DAd6vHoDpcO6w7yT24lnSoMuA6nR7kgy90Y/sHIwKE9Ww # t/px/GAY8eBePWjJrFpG8fBtJbXadRTVd/470Hs/q9t+kh6A/0ELj7wYsKSNOyuF # Poy4rtClOv9ZmrRpoDVnh8Epwg2DpklX2BNzykzBQxIbkpp+xVo2mhPNWDIesntc # 4/BnSebLGw1Vkxmu2acKkIjYrne/7lsuyL9ue0vk8TGk9JBPNPbGKJvHu9szP9oG # oH36fU1sEZ+AacXrp+onsyPf/hkkpAMHAhzQHl+5Ikvcus/cDm06twm7VywmZcas # 2rFAV5MyE6WMEaYAolwAHiPz9WAs2GDhFtZZg1tzbRjJIIgPpR+doTIcpcDBcHnN # dSdgWKrTkr2f339oT5bnJfo7oVzc/2HGWvb8Fom6LQAqSC11vWmznHYsCm72g+fo # TKqW8lLDfLF0+aFvToLosrtW9l6Z+l+RQ8MtJ9EHOm2Ny8cFLzZCDZYw32BydwcL # V5rKdy4Ica9on5xZvyMOLiFwuL4v2V4pjEgKJaGSS/IVSMEGjrM9DHT6YS4/oq9q # 20rQUmMZZQmGmEyyKQ8t11si8VHtScN5m0Li8peoWfCU9mRFxSESwTWow8d462+o # 9/SzmDxCACdFwzvfKx4JqDMm55cL+beunIvc0NsCAwEAAaOCAZwwggGYMB8GA1Ud # IwQYMBaAFA8qyyCHKLjsb0iuK1SmKaoXpM0MMB0GA1UdDgQWBBTZD6uy9ZWIIqQh # 3srYu1FlUhdM0TAOBgNVHQ8BAf8EBAMCB4AwDAYDVR0TAQH/BAIwADATBgNVHSUE # DDAKBggrBgEFBQcDAzARBglghkgBhvhCAQEEBAMCBBAwSgYDVR0gBEMwQTA1Bgwr # BgEEAbIxAQIBAwIwJTAjBggrBgEFBQcCARYXaHR0cHM6Ly9zZWN0aWdvLmNvbS9D # UFMwCAYGZ4EMAQQBMEkGA1UdHwRCMEAwPqA8oDqGOGh0dHA6Ly9jcmwuc2VjdGln # by5jb20vU2VjdGlnb1B1YmxpY0NvZGVTaWduaW5nQ0FSMzYuY3JsMHkGCCsGAQUF # BwEBBG0wazBEBggrBgEFBQcwAoY4aHR0cDovL2NydC5zZWN0aWdvLmNvbS9TZWN0 # aWdvUHVibGljQ29kZVNpZ25pbmdDQVIzNi5jcnQwIwYIKwYBBQUHMAGGF2h0dHA6 # Ly9vY3NwLnNlY3RpZ28uY29tMA0GCSqGSIb3DQEBDAUAA4IBgQASEbZACurQeQN8 # WDTR+YyNpoQ29YAbbdBRhhzHkT/1ao7LE0QIOgGR4GwKRzufCAwu8pCBiMOUTDHT # ezkh0rQrG6khxBX2nSTBL5i4LwKMR08HgZBsbECciABy15yexYWoB/D0H8WuGe63 # PhGWueR4IFPbIz+jEVxfW0Nyyr7bXTecpKd1iprm+TOmzc2E6ab95dkcXdJVx6Zy # s++QrrOfQ+a57qEXkS/wnjjbN9hukL0zg+g8L4DHLKTodzfiQOampvV8QzbnB7Y8 # YjNcxR9s/nptnlQH3jorNFhktiBXvD62jc8pAIg6wyH6NxSMjtTsn7QhkIp2kusw # IQwD8hN/fZ/m6gkXZhRJWFr2WRZOz+edZ62Jf25C/NYWscwfBwn2hzRZf1HgyxkX # Al88dvvUA3kw1T6uo8aAB9IcL6Owiy7q4T+RLRF7oqx0vcw0193Yhq/gPOaUFlqz # ExP6TQ5TR9XWVPQk+a1B1ATKMLi1JShO6KWTmNkFkgkgpkW69BEwggauMIIElqAD # AgECAhAHNje3JFR82Ees/ShmKl5bMA0GCSqGSIb3DQEBCwUAMGIxCzAJBgNVBAYT # AlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2Vy # dC5jb20xITAfBgNVBAMTGERpZ2lDZXJ0IFRydXN0ZWQgUm9vdCBHNDAeFw0yMjAz # MjMwMDAwMDBaFw0zNzAzMjIyMzU5NTlaMGMxCzAJBgNVBAYTAlVTMRcwFQYDVQQK # Ew5EaWdpQ2VydCwgSW5jLjE7MDkGA1UEAxMyRGlnaUNlcnQgVHJ1c3RlZCBHNCBS # U0E0MDk2IFNIQTI1NiBUaW1lU3RhbXBpbmcgQ0EwggIiMA0GCSqGSIb3DQEBAQUA # A4ICDwAwggIKAoICAQDGhjUGSbPBPXJJUVXHJQPE8pE3qZdRodbSg9GeTKJtoLDM # g/la9hGhRBVCX6SI82j6ffOciQt/nR+eDzMfUBMLJnOWbfhXqAJ9/UO0hNoR8XOx # s+4rgISKIhjf69o9xBd/qxkrPkLcZ47qUT3w1lbU5ygt69OxtXXnHwZljZQp09ns # ad/ZkIdGAHvbREGJ3HxqV3rwN3mfXazL6IRktFLydkf3YYMZ3V+0VAshaG43IbtA # rF+y3kp9zvU5EmfvDqVjbOSmxR3NNg1c1eYbqMFkdECnwHLFuk4fsbVYTXn+149z # k6wsOeKlSNbwsDETqVcplicu9Yemj052FVUmcJgmf6AaRyBD40NjgHt1biclkJg6 # OBGz9vae5jtb7IHeIhTZgirHkr+g3uM+onP65x9abJTyUpURK1h0QCirc0PO30qh # HGs4xSnzyqqWc0Jon7ZGs506o9UD4L/wojzKQtwYSH8UNM/STKvvmz3+DrhkKvp1 # KCRB7UK/BZxmSVJQ9FHzNklNiyDSLFc1eSuo80VgvCONWPfcYd6T/jnA+bIwpUzX # 6ZhKWD7TA4j+s4/TXkt2ElGTyYwMO1uKIqjBJgj5FBASA31fI7tk42PgpuE+9sJ0 # sj8eCXbsq11GdeJgo1gJASgADoRU7s7pXcheMBK9Rp6103a50g5rmQzSM7TNsQID # AQABo4IBXTCCAVkwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQUuhbZbU2F # L3MpdpovdYxqII+eyG8wHwYDVR0jBBgwFoAU7NfjgtJxXWRM3y5nP+e6mK4cD08w # DgYDVR0PAQH/BAQDAgGGMBMGA1UdJQQMMAoGCCsGAQUFBwMIMHcGCCsGAQUFBwEB # BGswaTAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tMEEGCCsG # AQUFBzAChjVodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVz # dGVkUm9vdEc0LmNydDBDBgNVHR8EPDA6MDigNqA0hjJodHRwOi8vY3JsMy5kaWdp # Y2VydC5jb20vRGlnaUNlcnRUcnVzdGVkUm9vdEc0LmNybDAgBgNVHSAEGTAXMAgG # BmeBDAEEAjALBglghkgBhv1sBwEwDQYJKoZIhvcNAQELBQADggIBAH1ZjsCTtm+Y # qUQiAX5m1tghQuGwGC4QTRPPMFPOvxj7x1Bd4ksp+3CKDaopafxpwc8dB+k+YMjY # C+VcW9dth/qEICU0MWfNthKWb8RQTGIdDAiCqBa9qVbPFXONASIlzpVpP0d3+3J0 # FNf/q0+KLHqrhc1DX+1gtqpPkWaeLJ7giqzl/Yy8ZCaHbJK9nXzQcAp876i8dU+6 # WvepELJd6f8oVInw1YpxdmXazPByoyP6wCeCRK6ZJxurJB4mwbfeKuv2nrF5mYGj # VoarCkXJ38SNoOeY+/umnXKvxMfBwWpx2cYTgAnEtp/Nh4cku0+jSbl3ZpHxcpzp # SwJSpzd+k1OsOx0ISQ+UzTl63f8lY5knLD0/a6fxZsNBzU+2QJshIUDQtxMkzdwd # eDrknq3lNHGS1yZr5Dhzq6YBT70/O3itTK37xJV77QpfMzmHQXh6OOmc4d0j/R0o # 08f56PGYX/sr2H7yRp11LB4nLCbbbxV7HhmLNriT1ObyF5lZynDwN7+YAN8gFk8n # +2BnFqFmut1VwDophrCYoCvtlUG3OtUVmDG0YgkPCr2B2RP+v6TR81fZvAT6gt4y # 3wSJ8ADNXcL50CN/AAvkdgIm2fBldkKmKYcJRyvmfxqkhQ/8mJb2VVQrH4D6wPIO # K+XW+6kvRBVK5xMOHds3OBqhK/bt1nz8MIIGwjCCBKqgAwIBAgIQBUSv85SdCDmm # v9s/X+VhFjANBgkqhkiG9w0BAQsFADBjMQswCQYDVQQGEwJVUzEXMBUGA1UEChMO # RGlnaUNlcnQsIEluYy4xOzA5BgNVBAMTMkRpZ2lDZXJ0IFRydXN0ZWQgRzQgUlNB # NDA5NiBTSEEyNTYgVGltZVN0YW1waW5nIENBMB4XDTIzMDcxNDAwMDAwMFoXDTM0 # MTAxMzIzNTk1OVowSDELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDkRpZ2lDZXJ0LCBJ # bmMuMSAwHgYDVQQDExdEaWdpQ2VydCBUaW1lc3RhbXAgMjAyMzCCAiIwDQYJKoZI # hvcNAQEBBQADggIPADCCAgoCggIBAKNTRYcdg45brD5UsyPgz5/X5dLnXaEOCdwv # SKOXejsqnGfcYhVYwamTEafNqrJq3RApih5iY2nTWJw1cb86l+uUUI8cIOrHmjsv # lmbjaedp/lvD1isgHMGXlLSlUIHyz8sHpjBoyoNC2vx/CSSUpIIa2mq62DvKXd4Z # GIX7ReoNYWyd/nFexAaaPPDFLnkPG2ZS48jWPl/aQ9OE9dDH9kgtXkV1lnX+3RCh # G4PBuOZSlbVH13gpOWvgeFmX40QrStWVzu8IF+qCZE3/I+PKhu60pCFkcOvV5aDa # Y7Mu6QXuqvYk9R28mxyyt1/f8O52fTGZZUdVnUokL6wrl76f5P17cz4y7lI0+9S7 # 69SgLDSb495uZBkHNwGRDxy1Uc2qTGaDiGhiu7xBG3gZbeTZD+BYQfvYsSzhUa+0 # rRUGFOpiCBPTaR58ZE2dD9/O0V6MqqtQFcmzyrzXxDtoRKOlO0L9c33u3Qr/eTQQ # fqZcClhMAD6FaXXHg2TWdc2PEnZWpST618RrIbroHzSYLzrqawGw9/sqhux7Ujip # mAmhcbJsca8+uG+W1eEQE/5hRwqM/vC2x9XH3mwk8L9CgsqgcT2ckpMEtGlwJw1P # t7U20clfCKRwo+wK8REuZODLIivK8SgTIUlRfgZm0zu++uuRONhRB8qUt+JQofM6 # 04qDy0B7AgMBAAGjggGLMIIBhzAOBgNVHQ8BAf8EBAMCB4AwDAYDVR0TAQH/BAIw # ADAWBgNVHSUBAf8EDDAKBggrBgEFBQcDCDAgBgNVHSAEGTAXMAgGBmeBDAEEAjAL # BglghkgBhv1sBwEwHwYDVR0jBBgwFoAUuhbZbU2FL3MpdpovdYxqII+eyG8wHQYD # VR0OBBYEFKW27xPn783QZKHVVqllMaPe1eNJMFoGA1UdHwRTMFEwT6BNoEuGSWh0 # dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNFJTQTQwOTZT # SEEyNTZUaW1lU3RhbXBpbmdDQS5jcmwwgZAGCCsGAQUFBwEBBIGDMIGAMCQGCCsG # AQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wWAYIKwYBBQUHMAKGTGh0 # dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNFJTQTQw # OTZTSEEyNTZUaW1lU3RhbXBpbmdDQS5jcnQwDQYJKoZIhvcNAQELBQADggIBAIEa # 1t6gqbWYF7xwjU+KPGic2CX/yyzkzepdIpLsjCICqbjPgKjZ5+PF7SaCinEvGN1O # tt5s1+FgnCvt7T1IjrhrunxdvcJhN2hJd6PrkKoS1yeF844ektrCQDifXcigLiV4 # JZ0qBXqEKZi2V3mP2yZWK7Dzp703DNiYdk9WuVLCtp04qYHnbUFcjGnRuSvExnvP # nPp44pMadqJpddNQ5EQSviANnqlE0PjlSXcIWiHFtM+YlRpUurm8wWkZus8W8oM3 # NG6wQSbd3lqXTzON1I13fXVFoaVYJmoDRd7ZULVQjK9WvUzF4UbFKNOt50MAcN7M # mJ4ZiQPq1JE3701S88lgIcRWR+3aEUuMMsOI5ljitts++V+wQtaP4xeR0arAVeOG # v6wnLEHQmjNKqDbUuXKWfpd5OEhfysLcPTLfddY2Z1qJ+Panx+VPNTwAvb6cKmx5 # AdzaROY63jg7B145WPR8czFVoIARyxQMfq68/qTreWWqaNYiyjvrmoI1VygWy2ny # Mpqy0tg6uLFGhmu6F/3Ed2wVbK6rr3M66ElGt9V/zLY4wNjsHPW2obhDLN9OTH0e # aHDAdwrUAuBcYLso/zjlUlrWrBciI0707NMX+1Br/wd3H3GXREHJuEbTbDJ8WC9n # R2XlG3O2mflrLAZG70Ee8PBf4NvZrZCARK+AEEGKMYIGPjCCBjoCAQEwaDBUMQsw # CQYDVQQGEwJHQjEYMBYGA1UEChMPU2VjdGlnbyBMaW1pdGVkMSswKQYDVQQDEyJT # ZWN0aWdvIFB1YmxpYyBDb2RlIFNpZ25pbmcgQ0EgUjM2AhANIM3qwHRbWKHw+Zq6 # JhzlMA0GCWCGSAFlAwQCAQUAoIGEMBgGCisGAQQBgjcCAQwxCjAIoAKAAKECgAAw # GQYJKoZIhvcNAQkDMQwGCisGAQQBgjcCAQQwHAYKKwYBBAGCNwIBCzEOMAwGCisG # AQQBgjcCARUwLwYJKoZIhvcNAQkEMSIEILkEwIwEvJR2XSkRBxPZNm288j7bowXI # dMG44Rar5EVRMA0GCSqGSIb3DQEBAQUABIICADO10JSmRXZHRl3Tn9itCvtmsyRo # s1WLgvkXPMTn5s8xEk4UDlzk3aPoztMDfFZ+GCiqzlVw/I/K4UwTWrzP5vVKbK/b # RzY6hUIKJLCJM8zHgDpaEu3UM2+RJqkqOCBF6WoMO1zASTh3BOS5LogCLRmyF77H # oc3kCk+b4pRSoaV2NeltkXBRxQ12s83T75eTiuwKsoAA0M9U9j3yaUjW+gFXoV1Q # wn9iBwsRirkFZ2jrAF7vgCv3BUn4aqzy53t1VAHhD1F7mZxwt5LjKJZBkdp1GBiP # RjwfagXU8BSm6oOOclI1Vd3WcKiFwaWWuXKihw5F5m2QGgjMGM53ZdY2nvHqjFtq # UEdj6ix72/Av6sPETYSs2xi9P9ZQJUCPiz0Prj4jfbFOHEeh4k8mfOTJfQCqrz0f # 8CCFoNMae5aDKY/YdrK/mC/AIcllPI38bPkxyT4fCd+tu2MUhzBXYK/ShKB2QZ+C # XeJGiElrM9UHRG5vMRP9i+ZZIeC9dLyduSom+KyeI/42a+02VtZaeiglZZPqAsKN # CTqhVuDRz+gmpUgq357ovyjLgr1sruYY0O7K3F/3/VJB09WGFvg/4slgBhsWn+ki # W0/3gMbVS3YW723A3fOp8sJSFVjIOM20879VqiuiFlOanxecwbJ8kBfunkctV/Yi # oTQhjKhJY8ZTwz/5oYIDIDCCAxwGCSqGSIb3DQEJBjGCAw0wggMJAgEBMHcwYzEL # MAkGA1UEBhMCVVMxFzAVBgNVBAoTDkRpZ2lDZXJ0LCBJbmMuMTswOQYDVQQDEzJE # aWdpQ2VydCBUcnVzdGVkIEc0IFJTQTQwOTYgU0hBMjU2IFRpbWVTdGFtcGluZyBD # QQIQBUSv85SdCDmmv9s/X+VhFjANBglghkgBZQMEAgEFAKBpMBgGCSqGSIb3DQEJ # AzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTI0MDkxODA1NTU0MVowLwYJ # KoZIhvcNAQkEMSIEIJI+RrJSWAiYP2cHJjJ3r5b/lpO37j6+BUpViwY91YIxMA0G # CSqGSIb3DQEBAQUABIICAHLAzWOdJjt/pa6MyNM5lf3R7witJ8Kn5x/TcPGXsAHz # tLHggYhmCSvO2AHnMBldDSOJSlCfYor26G/hNI6q75fz66SQrhDVVYblk3vrXR3s # fj4tz33cYKXxMFFR67GlUPLb7pa/NjovERyUSBe4TQ9t/UINnyFzjJMJ/NarQFJf # FfLOwCzt9s/ogx78r+//aJa2OnzpJuotB/KGtMH0eG4TxWpT1YyU3qZe7NcmlFIS # PhxBhhWs57SXUmMzXekUQWwRnI0UlSaEpQvaWo57WzxnM+ssyxEO7CvkBKsygXHI # CIQ+sxHQSLxA/8nhlM4mhJQIFUcySbGd9czAr/3Kr2djMst1aLO+rW5Luvnoc3Ig # 2R4XuBTyVhoL+t8RqSLFJuZjnctU97LlsS5TNwovCjCJunv9NcE8trzRAmOlDN0Z # u2nsJQzma3u3zbPBipcjgxGbh4Ay2U5Fo6ZCMjKxafphGeZL/tnskXojUK+hgBG6 # MqfuGfp285dISe4aAJWR8tejYlgL55DqWcjnPZmH9I5TOGeOjKN8r2gBAnozhaSY # h7y6weyu2tMOQs2FfxHHKhcJMfPltFmhmaowA/usAXOdn6PLe9n77F2SRAB8+Z1i # Mb+Sgk1h4HHT7C2RrPJRMPlaTaBvaUmqUgnxzqJvLvJpKwTypPKyq13ZH/wiIk6T # SIG # End signature block |